SQL injection in 1.5 - fixed in 1.6?



we just had an SQL-injection in the 1.5 version of Piwik using the following url:


(SQL-calls obmitted)

At least some of our database-tables were read. As said, we were using 1.5. but without anonymous view rights (which I know had some issues fixed in 1.6.) With Piwik 1.6, this exact injection is no longer possible, but was it really fixed or did the syntax simply change?


(vipsoft) #2

For obvious reasons, the developers aren’t going to answer publicly in the forum.

Send your message (and include the SQL used in the URL) to security (at) piwik.org.